[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SRM] foomatic-filters 4.0.5-6+squeeze2 security upload for CVE-2011-2924


Didier 'OdyX' Raboud <odyx@debian.org> (06/03/2012):
> as I noticed from the PTS that foomatic-filters is still affected by
> CVE-2011-2924 on stable, here I am with a stable upload (I went to the
> Security Team first and got asked to go trough a Point update instead).
> (Note that the last upload of foomatic-filters to stable-security was to
> fix the similar but not same CVE-2011-2964.)
> The proposed patch (and full debdiff, but it's a diff-of-diff) is
> attached as CVE-2011-2924.patch and was verbatim backported from the
> upstream VCS at [ff256]. The proposed changelog is as following:
> foomatic-filters (4.0.5-6+squeeze2) stable; urgency=low
>    * Fix CVE-2011-2924
>     "foomatic-rip (debug mode) insecure temporary file use in renderer
>      command line by processing PostScript data"
>     - Backport debian/patches/CVE-2011-2924.patch from upstream, add
>       DEP-3 headers.
> Opinions ?

I think a reference to a Debian bug would be nice to have. Adam?

(From the security tracker it looks like unstable and testing aren't
 affected: http://security-tracker.debian.org/tracker/CVE-2011-2924)

Doesn't look too bad otherwise. No error checking for mktemp in the last
hunk, though…


Attachment: signature.asc
Description: Digital signature

Reply to: